of 23
7/27/2019 MU1 Module 4 Powerpoint
1/23
Course Name: Internal Auditing and Controls
Module: 4
Module Title: Planning the Internal Audit
Lectures and handouts by:
Chuck Campbell
Copyright The Certified General Accountants Association of British Columbia. All rights reserved.
1
Planning the internal auditModule 4
This module covers the planning phase of internal
auditing. Internal audit planning ranges from
long-term planning which sets the overall
strategic audit direction for several years, to
annual audit plans and finally to planning a
specific audit engagement. A comprehensive
case study will help demonstrate the points
made in the course notes, readings andlectures.
2
Internal Auditing & ControlsModule 4
Part 1 Topic 4.1 The internal auditing process
Topic 4.2 Internal audit planning processPart 2 Topic 4.3 Long-term planning overview
Topic 4.4 Long-term planning risk assessment matrix
Topic 4.5 Long-term planning case study
Part 3 Topic 4.6 Short-term (annual) audit planning
Part 4 Topic 4.7 Engagement planning
Topic 4.8 Engagement planning case study
Part 5 Module summary Learning objectives
Recent examination questions
Assignment hints
3
7/27/2019 MU1 Module 4 Powerpoint
2/23
Internal Auditing & ControlsModule 4
Part 1
Topic 4.1 The internal auditing process
Topic 4.2 Internal audit planning process
4
Phases in the internal audit
process
1. The planning phase which determines what will be audited
and how frequently. This will be the subject matter of this
module.
5
Phases in the internal audit
process (contd)
1. The planning phase which determines what will be auditedand how frequently.
2. The examination phase where internal auditors perform
specific audits following the audit programs developed in the
planning phase. This phase consists of gathering audit
evidence, analyzing it and reaching conclusions on the
subject matter of the audit. (This will be covered in Module
5.)
6
7/27/2019 MU1 Module 4 Powerpoint
3/23
Phases in the internal audit
process(contd)
1. The planning phase which determines what will be audited
and how frequently.
2. The examination phase where internal auditors perform
specific audits following the audit programs developed in the
planning phase.
3. The reporting phase in which the auditors report their
findings to the management of the audited unit and to senior
management. (This will be covered in Module 6 of this
course.)
7
Phases in the internal audit
process (contd)1. The planning phase which determines what will be audited
and how frequently.
2. The examination phase where internal auditors performspecific audits following the audit programs developed in theplanning phase.
3. The reporting phase in which the auditors report their findingsto the management of the audited unit and to seniormanagement.
4. The monitoring phase in which the internal auditordetermines the extent to which management hasimplemented corrective action to address reportedweaknesses and the degree to which the actions haveremedied the weaknesses. (This will also be addressed inModule 6.)
8
Purpose of internal audit planning
Audit planning is necessary in order to ensure that
the audit resources used produce the greatestbenefit for the organization. Long-term audit
planning involves identifying those the areas withthe greatest potential risk to the organization inorder to assess if managements efforts to keep therisks within acceptable levels are adequate and
effective. Annual audit plans and engagement plans
for specific audits carry through with maximizing thebenefit to the organization of its internal auditactivities.
9
7/27/2019 MU1 Module 4 Powerpoint
4/23
Ethical considerations in the audit
process
Ethical considerations apply throughout the
internal audit process:
in the planning phase, you must incorporate theorganizations ethical policies and ethical
responsibilities;
in the examination phase, you must use ethical ways
of obtaining audit evidence;
in the reporting phase, you must report with fairness
and objectivity;
in the monitoring phase, you must use ethical
monitoring methods.
10
The internal audit planning
process
Internal audit planning consists of four steps:
1. Gaining knowledge of the organization.
11
The internal audit planning
process (contd)
Internal audit planning consists of four steps:
1. Gaining knowledge of the organization.
2. Preparing the long-term audit plan.
12
7/27/2019 MU1 Module 4 Powerpoint
5/23
The internal audit planning
process (contd)
Internal audit planning consists of four steps:
1. Gaining knowledge of the organization.
2. Preparing the long-term audit plan.
3. Preparing the annual audit plan.
13
The internal audit planning
process (contd)
Internal audit planning consists of four steps:
1. Gaining knowledge of the organization.
2. Preparing the long-term audit plan.
3. Preparing the annual audit plan.
4. Preparing plans for specific internal auditengagements, including developing audit programs.
14
Internal Auditing & ControlsModule 4
Part 2
Topic 4.3 Long-term planning overview
Topic 4.4 Long-term planning risk assessment
matrix
Topic 4.5 Long-term planning case study
15
7/27/2019 MU1 Module 4 Powerpoint
6/23
Overview of the long-term planning
process
1. Define the audit universe.
2. Perform an overall risk assessment.
3. Determine the frequency of audits.
4. Prepare the long-term audit plan (and have itapproved).
16
Defining the audit universe
The audit universe must consist of all auditable
activities or units. Auditable activities include:
policies, procedures and practices
cost centres, profit centres and investment centres
general ledger account balances
information systems
major contracts
17
Defining the audit universe (contd)
The audit universe must consist of all auditable
activities or units. Auditable activities include: major programs
organizational units such as product or service lines
functions such as purchasing, marketing, treasury
transaction systems such as sales or payroll
compliance with laws and regulations
geographical locations such as plants or sales offices
18
7/27/2019 MU1 Module 4 Powerpoint
7/23
Performing an overall risk
assessment
In performing an overall risk assessment, the
internal auditor considers three factors:
1. controllability (which measures the ability of those in
the organization to control specific risks)
19
Performing an overall risk
assessment (contd)
In performing an overall risk assessment, the
internal auditor considers three factors:
1. controllability (which measures the ability of those in
the organization to control specific risks)
2. likelihood that a weakness will occur (a combination of
inherent risk and control risk)
20
Performing an overall risk
assessment (contd)
In performing an overall risk assessment, the internal
auditor considers three factors:
1. controllability (which measures the ability of those inthe organization to control specific risks)
2. likelihood that a weakness will occur (a combination ofinherent risk and control risk)
3. impact of that weakness, if it does occur
21
7/27/2019 MU1 Module 4 Powerpoint
8/23
Performing an overall risk
assessment (contd)
In performing an overall risk assessment, the internalauditor considers three factors:
1. controllability (which measures the ability of those inthe organization to control specific risks)
2. likelihood that a weakness will occur (a combination ofinherent risk and control risk)
3. impact of that weakness, if it does occur
The overall risk is the product of the likelihood and impact.
22
Using assurance maps
Assurance mapping can be performed to
identify significant risks with inadequate
coverage and areas of duplicated assurance
coverage.
The internal audit activity needs to consider
areas of inadequate coverage when
developing their audit plan.
23
Using assurance maps (contd)
An assurance map includes:
Identification of the significant risk category
who is responsible for managing the risk
risk assessments (likelihood and impact)
extent of external audit coverage of the risk
extent of internal audit coverage of the risk
extent of coverage by other assurance providers,both internal and external to the organization.
24
7/27/2019 MU1 Module 4 Powerpoint
9/23
Using a risk assessment matrix
Current (or residual) risk is the product of
likelihood and impact after taking into accountthe effectiveness of risk management activities
(including internal controls).
Risk ranking for purposes of audit planning uses a
risk factor which is the product of likelihood,
impact and controllability.
25
Factors affecting the assessment of
likelihood or inherent risk
The complexity of the activity or function
The nature of the function, activity or operations
The frequency of changes in personnel or
procedures
Staff and managements grasp of operations
Environmental pressures
Competency of personnel
Expressed concerns of management
26
Factors affecting the assessment of
likelihood or inherent risk (contd)
Previous audit results
Managements response to prior auditrecommendations
Management and corporate values and attitudes
Competitive market conditions
Impact of government regulations
Political risk (particularly of foreign operations)
27
7/27/2019 MU1 Module 4 Powerpoint
10/23 1
Factors in assessing the impact ofweaknesses
The financial impact
28
Factors in assessing the impact of
weaknesses (contd)
The financial impact
The impact on continuity of operations
29
Factors in assessing the impact
of weaknesses (contd)
The financial impact
The impact on continuity of operations
The impact on competitiveness
30
7/27/2019 MU1 Module 4 Powerpoint
11/23
Factors in assessing the impact
of weaknesses (contd)
The financial impact
The impact on continuity of operations
The impact on competitiveness
The impact on customer service and
reputation
31
Factors in assessing the impact of
weaknesses (contd)
The financial impact
The impact on continuity of operations
The impact on competitiveness
The impact on customer service and reputation
Legal consequences
32
Factors in assessing the impact of
weaknesses (contd)
The financial impact
The impact on continuity of operations
The impact on competitiveness
The impact on customer service and reputation
Legal consequences
Impact on public or regulatory relations
33
7/27/2019 MU1 Module 4 Powerpoint
12/23 1
Preparing the long-term audit plan
Input can be obtained from managers
throughout the organization.
The final risk rankings must reflect the
thinking of the internal audit group.
Auditable entities are ranked from highest to
lowest based on the three relevant factors
(likelihood, impact and controllability).
A risk-based audit plan is developed based
on the risk rankings.
34
Chuckle Belly Toys case study
Review the case study (Topic 4.5 in your
module notes).
Outline the advantages of preparing a risk-
based long-term audit plan.
Outline the process used in preparing a risk-
based long-term audit plan.
35
Internal Auditing & Controls
Module 4
Part 3
Topic 4.6 Short-term (annual) audit planning
36
7/27/2019 MU1 Module 4 Powerpoint
13/23 1
The annual audit plan
1. The short-term or annual audit plan is based on thelong-term strategic internal audit plan.
37
The annual audit plan (contd)
1. The annual audit plan is based on the long-termstrategic internal audit plan.
2. The long-term plan should be up-dated to reflect thework done in the previous year.
38
The annual audit plan (contd)
1. The annual audit plan is based on the long-term
strategic internal audit plan.
2. The long-term plan should be up-dated to reflect thework done in the previous year.
3. Risk assessments should be reviewed annually toidentify significant changes to the organization (and therisks that it faces) and/or its risk management, controland governance processes.
39
7/27/2019 MU1 Module 4 Powerpoint
14/23 1
The annual audit plan (contd)
1. The annual audit plan is based on the long-termstrategic internal audit plan.
2. The long-term plan should be up-dated to reflect thework done in the previous year.
3. Risk assessments should be reviewed annually toidentify significant changes to the organization (and therisks that it faces) and/or its risk management, controland governance processes.
4. Specific requests and concerns of management andthe audit committee should be taken into account.
40
The annual audit plan (contd)
1. The annual audit plan is based on the long-term strategicinternal audit plan.
2. The long-term plan should be up-dated to reflect the workdone in the previous year.
3. Risk assessments should be reviewed annually to identifysignificant changes to the organization (and the risks that itfaces) and/or its risk management, control and governanceprocesses.
4. Specific requests and concerns of management and theaudit committee should be taken into account.
5. Scheduling must take into account the specific skill setrequired for each audit engagement.
41
The annual audit plan (contd)
1. The annual audit plan is based on the long-term strategicinternal audit plan.
2. The long-term plan should be up-dated to reflect the workdone in the previous year.
3. Risk assessments should be reviewed annually to identifysignificant changes to the organization (and the risks that itfaces) and/or its risk management, control and governanceprocesses.
4. Specific requests and concerns of management and theaudit committee should be taken into account.
5. Scheduling must take into account the specific skill setrequired for each audit engagement.
6. Allowance must be made for new issues that may ariseduring the year.
42
7/27/2019 MU1 Module 4 Powerpoint
15/23 1
Internal Auditing & Controls
Module 4
Part 4
Topic 4.7 Engagement planning
Topic 4.8 Engagement planning case study
43
Planning the internal audit
engagement
1. Obtain specific knowledge (background
information) about the unit to be audited.
2. Establish the audit objectives and scope for the
engagement.
3. Determine the audit methodology to be used.
4. Set audit criteria.
44
Planning the internal audit
engagement (contd)
5. Prepare staffing plans and time budgets.
6. Communicate with those to be audited.
7. Draft the audit program for the engagement.
45
7/27/2019 MU1 Module 4 Powerpoint
16/23 1
Sources of information about the unit
to be audited
Organization charts
Mission statements Policy and procedure documents
Systems descriptions
Earlier internal audit reports
External auditors management letters
46
Sources of information about the unit
to be audited (contd)
Consultants reports
Management reports
Minutes of boards and committees
Corporate and operational plans
Budgets and forecasts
Discussions with management and other
personnel
47
The audit objectives and scope
The audit objectives must address the risks,
controls and governance processes
associated with the activity under review and
should be based on a preliminary
assessment of risk.
48
7/27/2019 MU1 Module 4 Powerpoint
17/23 1
The audit objectives and scope (contd)
The audit objectives must address the risks, controlsand governance processes associated with the
activity under review and should be based on apreliminary assessment of risk.
The audit scope defines the function or
organizational unit to be reviewed and the activitiesand time period to be covered by the audit. Thescope must be wide enough to permitaccomplishment of the audit objectives for the
engagement.
49
Determine the audit approach or
methodology
The auditor will sometimes have a choice of approaches to theaudit to be performed. Specific methodologies such asinformation systems audits, control self - assessmentexercises, compliance audits, etc. may be appropriate for aspecific audit.
The methodology and approach must be designed taking intoaccount the audit objectives and scope and the riskassessment which has preceded the audit.
The methodology used will be designed to gather sufficient,appropriate evidence to allow the internal auditor to draw the
necessary conclusions concerning the risk management,control and/or governance processes for the unit and activitiesbeing audited.
50
Setting audit criteria
Audit criteria are the standards against which
actual performance is to be compared in
assessing the risk management, control and
governance processes of the unit being
audited. Audit criteria should be agreed with
the management of the unit being audited
prior to the start of audit work.
51
7/27/2019 MU1 Module 4 Powerpoint
18/23 1
Sources of audit criteria
Sources of audit criteria include:
laws and regulations governing the organization
policies, procedures and directives
standards recommended by professionalassociations
authoritative literature
benchmarking studies
52
Sources of audit criteria (contd)
Sources of audit criteria include:
earlier internal audits
interviews with management of the organization
advice and counsel from subject matter experts
common sense and experience
53
The final steps in engagementplanning
1. Preparation of staffing plans and time budgets. (These
are based on the objectives, scope and methodology
of the engagement, considered in the light of actual
time taken in previous audits, the experience of the
staff to be assigned to the engagement, etc.)
54
7/27/2019 MU1 Module 4 Powerpoint
19/23 1
The final steps in engagement
planning (contd)
1. Preparation of staffing plans and time budgets. (Theseare based on the objectives, scope and methodology
of the engagement, considered in the light of actualtime taken in previous audits, the experience of thestaff to be assigned to the engagement, etc.)
2. Communication with those to be audited. (Mattersdiscussed should include timing, objectives and scope,criteria, assistance needed from the units personneland the process for on-going communication during theaudit.)
55
The final steps in engagement
planning (contd)
1. Preparation of staffing plans and time budgets. (Theseare based on the objectives, scope and methodologyof the engagement, considered in the light of actualtime taken in previous audits, the experience of thestaff to be assigned to the engagement, etc.)
2. Communication with those to be audited. (Mattersdiscussed should include timing, objectives and scope,criteria, assistance needed from the units personneland the process for on-going communication during theaudit.)
3. Preparing the audit program. (This willbe considered indetail in Module 5 of the course.)
56
Connon Chemicals Inc. case study
Review the case study (Topic 4.8 in your
module notes).
Attempt to identify and assess the risks faced
by Connon Chemicals when using outside toll
manufacturers.
Establish the objectives and scope of an
audit of the companys toll manufacturing
activities.
57
7/27/2019 MU1 Module 4 Powerpoint
20/23 2
Internal Auditing & Controls
Module 4
Part 5
Module summary -- Learning Objectives
Recent past examination questions
Assignment hints
58
Module 4 Learning Objectives
1. Identify the main phases of the internal
auditing process and explain their purposes;
explain how to incorporate ethics into the
process. (Level 1)
59
Module 4 Learning Objectives
2. Outline the steps for preparing the different
types of plans in the planning phase of
internal auditing. (Level 1)
60
7/27/2019 MU1 Module 4 Powerpoint
21/23 2
Module 4 Learning Objectives
3. Explain the steps for preparing a long-term
audit plan, including how an audit universe
is defined and factors that may affect overallrisk assessment. (Level 2)
61
Module 4 Learning Objectives
4. Explain how a risk-assessment matrix is
used for long-term audit planning. (Level 2)
62
Module 4 Learning Objectives
5. Outline the process of preparing a long-term
audit plan. (Level 2)
63
7/27/2019 MU1 Module 4 Powerpoint
22/23 2
Module 4 Learning Objectives
6. Explain how the auditor plans a short-term
(annual) audit plan. (Level 2)
64
Module 4 Learning Objectives
7. Design a specific audit engagement
(including determining the scope,
objectives, and audit criteria), and list seven
design areas that must be considered.
(Level 1)
65
Module 4 Learning Objectives
8. Design a plan for a specific audit
engagement using information from a case
study. (Level 1)
66
7/27/2019 MU1 Module 4 Powerpoint
23/23
Recent examination questions
The examination blueprint specifies that 8%-
10% of the questions on the course
examination will come from Module 4.
Typical examination questions:
Multiple choice questions
67
Assignment hints Assignment 2
Question 2 You may set out your answer as a table within aproperly formatted memo. The table should consist of onecolumn listing the risks to which Canadian Wood Toys Inc. isexposed and a second column setting out possible methods ofmitigating the identified risks.
Question 3 This question is typical of the exam questions for thiscourse. You are expected to outline your presentation usingMicrosoft Word. Your answer should set out the steps indeveloping a long-term audit plan and the use of a riskassessment matrix in doing so.
Question 4 Your answer should address the first six of the sevensteps in developing the audit plan for a specific internal audit
engagement (preparing the audit program is specificallyexcluded).
68